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quantum attacks using Grover's amplitude 
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^ ■ 1 Introduction 

> : 

■ Watrous0 had presented the first proof of zero- knowledge property of a proof 
' system against a quantum verifier. The key of the proof is the construction 
. of a quantum simulator. In the construction, the 'failure state' is rotated to 

(<~^ ' the 'success' state by a tricky operation which is initially developped for the 

\^ , amplification of QMA proof systems. 

' This manuscript presents a new and simpler construction of a simulator. 

, In the construction, we simply amplify the success probability of a classical 

^ i' simulator using Grover's amplification. 

' 

c3 ; 2 The Goldreich-Micali-Wigderson Graph Iso- 
qh; morphism Proof System 

i> ! 

. ^ I The Goldreich-Micali-Wigderson graph isomorphism protocol is a well-known 

. example of a proof system that is perfect zero- knowledge against classical polynomial- 

5-H ' time verifiers. In this section it is proved that this protocol is in fact zero- 

. 5^ 1 knowledge against polynomial-time quantum verifiers. The method can be ex- 
tended to several other protocols. 



2.1 The protocol 

Let a; be a pair of graphs (Go,Gi), and i be a set of pairs with Gq — Gi. 
Hereafter, P denotes the prover, and V the verifier. 

(a) P randomly chooses a permutation r on the graph, and sends t(Go) to V. 

(b) V sends a random bit a G {0, 1} to P. 

(c) P send a permutation tt, and V accepts if t(Go) = 7r(Ga). 
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To decrease the error probability, (a)-(c) are repeated for polynomially many 
times. 

The quantum description of this classical protocol is as follows. Let V and 

A be the y's workspace and a qubit which stores output of the simulator at the 
end the step (b), respectively. The register y stores the message from P to V 
in the step (a). We also denote by W the register for an auxiliary input \ip). 
The initial state is 

|V)|0v>|0^)|03;). 

After the step (a), 

IV) (VI ® |0v) (OvI ® |0^) (0^1 ® ^ V |r(Go)) (r(Go)| 

The honest verifier will apply Hadamard transform to |0^) and measure A in 

the step (b), 

^ IV) w iov) (OvI ® E 1"-^) ® E i^(^o)) <^(<^o)| . 

ae{0,l} reSr, 

In general, however, a verifier will apply an unitary transform Uy onW A^y, 

and measure A. 

^ Wa) {aA\ Uv (IV) (V-l ® |0v) (OvI ® |0^) (0^1 ® |t(Go)) (t(Go)|) (a^| • 

' reS„,aS{0,l} 

After this, the step (c) follows, but we omit the description of this part, for this 
step is easy to simulate once a simulation of the steps (a)-(b) is given. 

2.2 A simulator 

A classical simulator is constructed as follows. Assume that Go — Gi. The 
simulator randomly chooses b € {0, 1} and tt G Sn, and compute 7r(G(,) which 
mimics P's first message. Then it applies the operation of V on the simulated 
message from P, producing an output a G {0,1}, or the message to P. If 
a = b, IT chosen previously can mimic the second message from P to V, and 
the simulation succeeds. If a ^ 6, we "rewind", or abort and restart from the 
beginning. This successfully simulates the single round of GMW protocol with 
probability |, meaning that the simulation succeeds with high probability after 
some iterations. 

To simulate the iterations of the single round, the simulator also has to be 
repeatedly run. Observe that in rewinding, the simulation only has to restart 
from the beginning of the present round, with the record of the final state of 
the previous round being copied in some registers. Otherwise, the simulation 
would take exponential time. In quantum case, however, this part fails because 
of the no-cloning principle. 
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Here we show how to bypass this difficulty: Grover's amplitude amplification 
can increase the success probability of the simulation of each round up to 1, and 
thus there is no need for rewinding. 

Let us define 

X = V(g)A(g>y(g>B(g>Z, 

where Z and B stores random bits specifying a permutation tt on the graph and 
a random bit b, respectively. 

Let us denote by A a unitary operation corresponding to the the classical 
simulator other than rewinding part, 

A\^p)\Ox) = 

^ J2 (f/y|^)|0v>|0>|7r(G,)))|6)|vr>. 



be{Q,l},-!reS„ 



We apply amplitude amplification to this operation. Define a unitary transform 
S^, Sf in A- by 



On 



- {cf,-l)Iw<E)\Ox) {Ox\+l, 



Sf : =((^-l)n^ + L 
where H is the projection onto success event, 

n:= ^ Iw^V^lb) {b\(^Iy<»\b) {b\(^Iz. 
6e{o,i} 

These phase factors are chosen according to lemma 3 in 

Observe that a = b occurs with probability ^, for all the state because 
b S {0, 1} is uniformly random, and does not affect the input of Uy- This 
assures us the identity 

{Ox\A-'TlA\Ox) = ilw- (1) 
More rigorously, this is true for the following equalities holds for any \ip): 

\\nA\^)\Ox)\f 



1 

1 
2^ 



Iw»v ® |a) (a| <^ly<^ \a) {a\ « Iz {Uy |^) |0v) |0) |7r(Gf,)) ) \b) K) 

a,b6{0,l}:TreS„ 

2 

Iw»v ® \b) {b\ (g, Iy<^B<»z {Uv m |0v> |0) HGb)) ) |6> k) 

bG{0,l},7reS„ 



^ E E ® {b\ ® ly {Uv |0v) |0) HGt)) )\\' 

' 6e{o,i} 7res„ 

^ E E II W ^ {b\ ly {Uv W |0v) |0) \nT\Go)) ) | 



be{0,l} -rreSn 
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^ E E l|I>v»v ® {b\ ® ly {Uv H) |0v) |0) |7r(Go)) )|| 



2n' 

' 7res„ be{o.i} 

-El ' 

2n! ^ 

7reS„ 



2' 



where in the thhd hne, t{Gq) — Gi. Using the equation J^l, as shortly de- 
scribed, we can expUcitely check the foUowing identity 

AS'o^-^SlA 1^) \0x) = (^ - l)nA|V) \0x) ■ (2) 

Measure B and Z, and compute n^Gb), and store its resuh some register, say 
Z' . Trace out the register. Then, the final state is 

^ E 1^-4) Uv m (^1 ® |0v) (OvI ® |0^) (0^1 ® |7r(G„)) (^(Ga)|) i7^|a^) (a^| 

7reS„,ae{0,l} 

«)|7r(Ga))z'2' ^(Ga)| 

= ^ E |a-4>(«^|t/y(IV^)(V'l®|0v>(0v|®|0^>(0^|®|r(Go))(T(Go)|)t/i.|a^)(a^| 

reS„,aG{0,l} 

'^|r(Go))z' (t(Go)|. 

This shows that 7r(Gf,), W (8) V (g) -4 (8) 3^, and Z mimics the message from P to 
V in the step (a), the F's final state in the step (b) and the message from V to 
F, and the message from P to F in the step (c), respectively. 

Below, we use the block representation in which ji/)) \^x) writes 



IV') |o 







In that representation. 



SI 



11^,12 





n 





A,12 



Therefore, 



ASl 
A 

{^~^)A 



ASl-A-'S'oAW\Ox) 
AS{-{{i-l)A-^UA + l) \^)\0x) 

(¥ + 1)1^) 
{i-1)Pa,12W 

(1-1)0^,121^-) 

{i-l)AA-'llA\^) \0x) 
{i - l)UA\ij) \0x) . 
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This is our assertion Q. 



2.3 Watrous's simulator revisited 

Instead of doing Grover's amplitude amplification, we can perform the measure- 
ment n to the state A|'0)|Oa:'). If the success event is observed, we are done. 
This occurs with probability i. Otherwise, the state of the system colllapses 
to V2(I - Il)A\ip)\Ox), and AS^^A''^, or reflection about A\ip)\Ox) maps this 
state to \/2nA|V')|0A'), which corresponds to success. 

This simulation is the same as the one presented in 2 , although the presen- 
tation is different. 



3 When success probability is not | 
3.1 Amplification operations 

The construction in the previous section seemingly depends on the fact that the 
success probability equals i. In the section, we show that if we have 



A-^nA 



n 



IIa,12 11^.22 



our method works for any success probability A, if proper phase shifts are intro- 
duced. Especially, we have to check that repetition of the amplification works 
in the same as the case where the auxiliary input lip) is absent. 
Then, the identity 



{A~^UA) 



n 



t 

A. 12 



nA,i2 \nl„ + n\„UA,: 



An^42 + iiyi, 2211^,12 n^,i2n|^^j2 
A-^nA 



^M,22 



implies 



(A' - A) Iw 

11^42 n^.i2 



11^,2211/1.12 



n 



A, 22 






nA,22- 



Define also 



\succ) 



\fatl) 



IIA\^) \0x 



-.A 



Va 

(I -n) A 1^)10;,) = 



AIV') 

1 



A 



(I-A)IV) 

-n^.i2 M 
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Then we have 



AStA-^S'(\succ} 



A 

7x 

A 

7t 

A 

Va 

A 

7% 



AStA-^S'^A ■ 
</){A(^-l) + l}Iw 

{lP - 1)11^,12 

A0{A(^-1) + 1} 



\succ) 



(V3 - 1) nA,22 + I 



A,12 

1) 11^,22 11^,12 
2 



12 



A|^) 



f nA,i2]|^> 



[\4> {A - 1) + 1} - (A^ - A) 4>{^ - 1)] IV;) 

[A((^ - 1) - (A - 1) - 1) + 1] nA,i2 1^) 



= A 



^nA^i2 



= ip{X(l)+l-X) \succ) - ipy/X (1 - A) (1 - 0) \fail) 



AS^A-^Sf \fail) = A^^A-i^f ^ • A-^ \fml) 



A 



A 



0{A(¥>-l) + l}Iw 

((^-1)Pa,12 



0(^-1)^1 



(l-A)l^) 

-Pa.12 W 



A 

7t 

A 



A 



(95 - 1) Pa,22 + I 

(1 - A) {A - 1) + 1} - 0(^ - 1)pXi2^a,i2] |^> 

[(1 - A) - 1)Pa,12 - (V' - 1) Pa,22PaS2 - Pa,12] |^) 

[(1 - A) {A ((^ - 1) + 1} + (A^ - A) - 1)] \^) 
[(1 - A) - 1) + (A - 1) - 1) - 1] Paa2 |^> 



nA,i2 Iv 



= -v/A(l - A) (1 - (j)) \succ) + (A + (1 - A) (j)) \fail) . 

Therefore, the hnear space spanned by {\succ) , \fail)} is hivariant by the action 
of ASq A~^ Sf . EspeciaUy, in = 1^9 = —1 case, 



-AS^A-^Sf\succ) = (1 - 2A) \succ) - 2^X (1 - A) \fail) 
-AS^A-^Sf\fail) = 2^JX (1 - A) \succ) + (1 - 2A) \fail) 

and — ASq A~^ corresponds to one step of Grover's search. Therefore, triv- 
ially, the repetition of the our amplification works in the same manner as the 
case where the auxiliary input is absent. Also, by choosing the phase factors 
property, we can control the speed of the amplification as in 

3.2 Computational zero-knowledge proof systems for NP 

As is mentioned in subsection 4.2 in j^, a zero- knowledge proof system for 
Graph 3-Coloring (G3C) yields a zero-knowledge proof for any problem in NP. 
|2] presents a simulator for a classical proof system which is secure against attack 
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by any quantum verifier. In this subsection, we present a new construction of 
simulator for this proof system. 

In the construction of |2] , the essential part is the amplification of the success 
probability of a simulator A which succeeds with probability ^ with m being a 
polynomially-bounded function of the input length n. 

We can construct such an amplification using Grover's amplitude amplifica- 
tion as is studied in the previous subsection. 

On the other hand, the amplification used in [2] can be described in the 
language of Grover's amplitude amplification as follows. First, apply A to the 
initial state 1-0)10^^) , and apply the measurement 11. If the success event is 
observed, the simulation will be successful, and this success event occurs with 
the probability Otherwise, the state collapses to \fail), at which point the 
reflection operator ASq^A^^ is applied. This changes the state to 



\succ) + \ I Ifa.'il) , 

V m 

and the measurement 11 is applied to this, producing |succ) with the probability 
^ . The process continues in this way, with each iteration yielding a successful 
simulation with probability at least ^ . 
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